A breach which has leaked personal data for two million Vodafone Germany customers has been claimed to be the work of an insider, according to Vodafone. The company warned the leak could lead to increased risk of targeted phishing attacks.

Customers’ names, birthdates, addresses leaked – as well as their bank account and branch numbers, Vodafone Germany admitted. The company said that passwords, PIN numbers and credit card details were safe.

“This attack could only be carried out with high criminal intent and insider knowledge and was launched deep inside the IT infrastructure of the company,” Vodafone said, according to a report by Phys.org. The information was stolen from a database within the company network, according to the BBC.

Vodafone said that the attackers had not gained access to enough information to access clients’ bank accounts – but that the data could raise the risk of “phishing” attacks. Only German customers were afffected by the attack, Vodafone said, and those afffected would be contacted by post.

“Vodafone deeply regrets the incident and apologises to all those affected,” the company said, adding that it was now working with police, and that one suspect had been identified.

“In coordination with the authorities, Vodafone Germany is now fully informing all affected persons and supporting them in avoiding possible adverse effects.”

ESET Senior Research Fellow David Harley says, “ The real risk to everyday customers partly depends on how much of the stolen data has been shared with other criminals, which isn’t clear from the story. In any case, from the sound of it, not enough data have been exfiltrated for a direct attack on customers en masse. However, there is the risk of some kind of data aggregation attack where the information that has been shared is used to give credibility to a phishing-type email.”

Information such as customer names and addresses can be useful to attackers, Harley warns.

“In general, the weakness of generic phishing is that the attacker doesn’t have information specific to potential victims, so mails out emails addressed non-specifically to ‘Dear Valued Customer’ or something similar. If a victim reads an email with his actual name and minimal account details, even a phish-savvy customer may be more inclined to trust it. However, s/he can reduce the risk by being sceptical about all emails asking for sensitive information and revalidation of account information and assume that any links are likely to be malicious. Banks don’t (or shouldn’t) send such requests by email, which is more likely to be used for marketing purposes. In general, customers shouldn’t click or follow up on any link in email that asks for customer-specific information. If you think it might be genuine, go to a link that you know is genuine.”

“However, it’s a lot more effort to mail out semi-personalized phish messages in any quantity, and I’m not sure how likely it is that a scammer will go to that trouble.”

“As for insider attacks, there’s no totally effective way of preventing someone with privileged access misusing that access, as the NSA will testify. However, a business can minimize the risks by being all the more careful about vetting people in roles that allow them such access, ensuring that people who don’t need that access don’t have it (for instance, when they change roles) and so on. Obviously, the use and diligent maintenance of technical controls like internal firewalling also has a bearing. Clearly, not all attackers are on the outside.”